Re: [Cfrg] Internal collisions
Dan Brown <dbrown@certicom.com> Fri, 31 July 2015 20:08 UTC
Return-Path: <dbrown@certicom.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 336E11ACE5C for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 13:08:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level:
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDaqn2N7iJUw for <cfrg@ietfa.amsl.com>; Fri, 31 Jul 2015 13:08:51 -0700 (PDT)
Received: from smtp-p02.blackberry.com (smtp-p02.blackberry.com [208.65.78.89]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD781A9174 for <cfrg@irtf.org>; Fri, 31 Jul 2015 13:08:51 -0700 (PDT)
Received: from xct103cnc.rim.net ([10.65.161.203]) by mhs215cnc.rim.net with ESMTP/TLS/AES128-SHA; 31 Jul 2015 16:08:51 -0400
Received: from XCT115CNC.rim.net (10.65.161.215) by XCT103CNC.rim.net (10.65.161.203) with Microsoft SMTP Server (TLS) id 14.3.210.2; Fri, 31 Jul 2015 16:08:50 -0400
Received: from XMB116CNC.rim.net ([fe80::45d:f4fe:6277:5d1b]) by XCT115CNC.rim.net ([::1]) with mapi id 14.03.0210.002; Fri, 31 Jul 2015 16:08:49 -0400
From: Dan Brown <dbrown@certicom.com>
To: "'djb@cr.yp.to'" <djb@cr.yp.to>, "'cfrg@irtf.org'" <cfrg@irtf.org>
Thread-Topic: [Cfrg] Internal collisions
Thread-Index: AQHQy68R+xgpZDff0UGF08OtLC2WBJ316kiQ
Date: Fri, 31 Jul 2015 20:08:49 +0000
Message-ID: <810C31990B57ED40B2062BA10D43FBF5E1DC43@XMB116CNC.rim.net>
References: <D1DFC4DD.512B0%kenny.paterson@rhul.ac.uk> <810C31990B57ED40B2062BA10D43FBF5E1B4F4@XMB116CNC.rim.net> <20150727180148.GA20149@LK-Perkele-VII> <55B66F2E.8070105@sbcglobal.net> <810C31990B57ED40B2062BA10D43FBF5E1B345@XMB116CNC.rim.net> <20150731163636.21016.qmail@cr.yp.to>
In-Reply-To: <20150731163636.21016.qmail@cr.yp.to>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.160.251]
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_002B_01D0CBAB.2FCF8640"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/cfrg/HA7QihsaR4lBU5fdG8W9x3YDo7M>
Subject: Re: [Cfrg] Internal collisions
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 20:08:54 -0000
> -----Original Message----- > From: D. J. Bernstein > reading twice through the message---so a stateless deterministic > IUF interface requires a variable-length buffer or a limited > message length. [DB] If CFRG will support message-length buffered IUF signers that can fall back to pre-hashing whenever needed, then, as I said before, I would amend my proposal to make it similar to the other proposals. I.e., to use H(R,M) falling back to H(M,R), or just to pre-hashing H(R,H(M)) for alignment with the other proposals. The reason my proposal has H(M,R) is because I interpreted the various CFRG polls to _require_: - IUF signer (i.e. message streaming/buffering), - fixed-length buffer (for signer and verifier), i.e. a buffer shorter than the message length, - stateless signer, - deterministic signer. The H(R,M) proposals are _incompatible_ with this interpretation. > * H(seed,M) followed by H(R,M): Collision-resilient. Serious defense > against the possibility of collisions in H. > [DB] Yes, but incompatible with CFRG requirements as I understand them. > * H(seed,M) and in parallel H(M,R): _Not_ collision-resilient; > resilient only to external collisions, not internal collisions. [DB] You didn't mention that my proposal requires a wide-pipe hash. Wide pipe hashes are a _serious_ defense against the possibility of collisions. For consistency, if CFRG views prefixed wide-pipe hashes as a serious general-purpose PRF construct, thereby obviating the need for HMAC's extension-resilience, then it is not much of stretch to say that a wide-pipe hash obviates the need for H(R,M)'s collision-resilience. > This is not much safer than simply using H(M). [DB] In my ECDSA_CFRG proposal, there are two security benefits of H(M,R) over H(M): - Pointcheval-Stern security analysis in the random oracle model - External collision resilience. Oops, in Watson Ladd's proposal: H(M,R) has no known feasible attacks, but changing this to H(M) makes it forgeable: the verification equation would only have R appearing once, so you can just solve for R. > > * H(M): Not collision-resilient. [DB] As I interpret the CFRG requirements, the H(R,M) proposals will be forced to pre-hash and fall into this situation: they are _not_ collision-resilient. Ok, the H(M,R) proposal may only be "slightly safer" than H(M) (ignoring Watson's proposal), especially if you doubt the random oracle like promises of the SHA3 competition. So, maybe this slight safety gain does not warrant the dual hashing of H(M,R). If H(M,R) signers are just too slow, then either pre-hash, or if desperate for collision-resilience, secretly maintain a stateful PRG and feed its output into the PRF input. If you're worried CFRG will find out, then try to ensure some message control that ensures you never sign the same message twice. > > What three proposals actually do is take the "H(seed,M) followed by H(R,M)" > approach for maximum security, optionally wrapped in the H(M) prehashing > approach for people who need maximum performance and aren't worried > about collisions. The other two proposals focus on the middle option, which I > see as an unhappy combination of close-to-worst speed and close-to-worst > security. > > Dan Brown writes: > > If 2^256 is the best/expected number of steps for an internal > > collision on 256-bit wide pipe hash > > Do 24 rounds of SHA-512 provide 2^128 times more security than 24 rounds > of SHA-256? Does MD5 have security level 2^64? This metric isn't useful. > > >From a risk-assessment perspective, there's no difference between > generic attacks taking time 2^128 and generic attacks taking 2^256; they're > simply not going to happen. What matters are the _non-generic_ attacks, and > those produce internal collisions by the same techniques as external collisions. [DB] The Wikipedia page for MD5 mentions a 2^24 collision attack, which is 2^(64-40), so MD5 can be viewed as 2^40 times weaker than a generic hash of the same size. Alternatively, this is 2^(64 * 3/8), so there MD5 has only 3/8 of the "bits" of collision security that a generic hash would have. In a naïve risk assessment, I would attempt to extrapolate along these lines, estimating collision resistance of SHA-X for X=256 or X=512 to be 2^((X/2)-w) or 2^((X/2) * v), on the basis that SHA-256 and SHA-512 have similar designs and thus similar values of w and v, and probably somewhat better than the corresponding values of MD5. This approach yields an assessment that SHA-512 is much safer, and well beyond feasible. But perhaps I did not fully comprehend your reduced-round examples. Sorry. Maybe a better risk assessment of SHA-512's collision resistance is the same as SHA-256. Is that what the reduced-round attacks are indicating: no difference between SHA-512 and SHA-256? What about for SHA-3? If the SHA-2 designs are such that reduced-round attacks indicate that SHA-512 larger's state has no benefit, then I'd worry about their design considerably. In that case, I'd probably amend my proposal to require SHA-3.
- [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions David Jacobson
- Re: [Cfrg] Internal collisions Ilari Liusvaara
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Paterson, Kenny
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions D. J. Bernstein
- Re: [Cfrg] Internal collisions Dan Brown
- Re: [Cfrg] Internal collisions Bryan Ford
- Re: [Cfrg] Internal collisions D. J. Bernstein